MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1003.008: /etc/passwd and /etc/shadow

Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper: # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_cred_access: PT-CR-1694: Unix_Hashdump: User password hashes were retrieved using the Hashdump MSF module
unix_mitre_attck_cred_access: PT-CR-1696: Unix_Cred_Files_Read: Unix OS files containing credentials were read

Detection

IDDS0022Data source and componentFile: File AccessDescription

Monitor for files being accessed that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes attempting to access /etc/passwd and /etc/shadow, alerting on the pid, process name, and arguments of such programs.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Follow best practices in restricting access to privileged accounts to avoid hostile programs from accessing such sensitive information.

IDM1027NamePassword PoliciesDescription

Ensure that root accounts have complex, unique passwords across all systems on the network.